What: Former University of Texas student appeals conviction of computer fraud.
When: The 5th Circuit Court of Appeals rules on January 24.
Outcome: Conviction, restitution and sentence of five years of probation is upheld.
What happened, according to court documents:
Around 1990 at Carnegie Mellon University, an undergraduate student wrote a program designed to steal his classmates' accounts.
It mimicked the text-based login prompt used on the school's Sparcstations and DECstations, and surreptitiously recorded hapless students' usernames and passwords when they tried to log in. Once those were saved, it printed the equivalent of "try again," exited and brought up a real login prompt.
The faux username prompt was discovered when a system administrator tried to log in--and noticed the system rejected his password far more quickly than it should have, if it actually took the time to authenticate through the Kerberos protocol. After being nabbed and disciplined internally, the student graduated and went on to work as a staff member at the university. Today he's a well-respected programmer.
That was a more innocent era, before the rise of the Web and widespread criminal activity online. Just ask Christopher Phillips, a former University of Texas computer science student who was convicted in federal court of hacking and is appealing his sentence.
Phillips wrote a Java program that was less clever and more aggressive than the one at Carnegie Mellon more than a decade earlier. It used the brute-force method of trying to connect to a UT computer called "TXClass Learning Central," which required only a Social Security number to log in. (A more secure system would have required a password and other hard-to-guess information as well.)
The Java program was eventually refined so that instead of trying random SSNs, it generated ones that came from only the 10 most populous Texas counties. (The formula is publicly available.) When Phillips' program found a valid SSN, it entered that person's account and automatically extracted personal information about that individual from the TXClass database. The Java program then changed the SSN by an increment of one and tried again.
What's a little odd is that this apparently continued for some 14 months without UT realizing what was going on. Normally, TXClass received 20,000 log-in attempts per month, but Phillips' program increased it to as many as 1.2 million. The overload allegedly caused TXClass to crash several times in early 2003, making hundreds of Web applications inaccessible--including online library, payroll, accounting, admissions and medical databases.
Eventually, UT discovered the intrusion attempts and contacted the Secret Service. Phillips admitted that he was behind the brute-force attack on TXClass, but claimed that he was not going to use or sell the information.
He was indicted and convicted by a jury of one count of computer fraud. An article from June 2005 in the Austin American-Statesman said Phillips was 22 years old and that he was acquitted of more serious charges.
"I'm sorry to my parents, the University of Texas and all these people," he said at the time. "It just wasn't in my mind-set that this kind of thing was going to have this sweeping effect."
A federal judge sentenced Phillips to five years of probation, 500 hours of community service and restitution of $170,056, the amount the university said it cost to investigate and fix the problem. He appealed, claiming that the restitution figure was too high and that the jury instructions were in error.
The 5th Circuit Court of Appeals upheld Phillips' conviction and sentence on January 24.
Excerpts from the 5th Circuit's opinion:
Phillips asserts that the Government failed to produce sufficient evidence that he "intentionally access(ed) a protected computer without authorization."
Courts have therefore typically analyzed the scope of a user's authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user.
Applying such an intended-use analysis, in United States v. Morris (PDF), a case involving an invasive procedure that prefigured modern port scanning, the Second Circuit held that transmission of an Internet worm designed "to demonstrate the inadequacies of current security measures on computer networks by exploiting...security defects" was sufficient to permit a jury to find unauthorized access."
Phillips' brute-force attack program was not an intended use of the UT network within the understanding of any reasonable computer user and constitutes a method of obtaining unauthorized access to computerized data that he was not permitted to view or use.
During cross-examination, Phillips admitted that TXClass' normal hourly hit volume did not exceed a few hundred requests but that his brute-force attack created as many as 40,000. He also monitored the UT system during the multiple crashes his program caused and backed up the numerical ranges of the Social Security numbers after the crashes so as not to omit any potential matches.
Phillips intentionally and meticulously executed both his intrusion into TXClass and the extraction of a sizable quantity of confidential personal data. There was no lack of evidence to find him guilty of intentional unauthorized access.
Phillips makes a subsidiary argument that because the TXClass Web site was a public application, he, like any Internet user, was a de facto authorized user. In essence, Phillips contends that his theft of other people's data from TXClass merely exceeded the pre-existing generic authorization that he maintained as a user of the World Wide Web, and he cannot be considered an unauthorized user.
This argument misconstrues the nature of obtaining "access" to an Internet application and the CFAA's use of the term "authorization." While it is true that any Internet user can insert the appropriate URL into a Web browser and thereby view the "TXClass Administrative Training System" login Web page, a user cannot gain access to the TXClass application itself without a valid Social Security number password to which UT has affirmatively granted authorization.
Neither Phillips nor members of the public obtain such authorization from UT merely by viewing a login page or clicking a hypertext link. Instead, courts have recognized that authorized access typically arises only out of a contractual or agency relationship.
Finally, Phillips contends that the district court erred in its award of restitution for costs incurred by UT in conducting a computer damage and systems evaluation, and contacting individuals whose biographical information and Social Security numbers were stolen.
Since Phillips raises this issue for the first time on appeal, we review the award for plain error. There is no error at all...UT was a victim, and it collaborated with the investigation and incurred costs to notify other victims of Phillips' data theft in order to determine whether they had suffered further damage.